CVE-2024-3660: Keras code injection vulnerability

April 16, 2024 (updated August 2, 2024)

A arbitrary code injection vulnerability in TensorFlow’s Keras framework (<2.13) allows attackers to execute arbitrary code with the same permissions as the application using a model that allow arbitrary code irrespective of the application.

References

github.com/advisories/GHSA-x4wf-678h-2pmq
github.com/keras-team/keras
github.com/keras-team/keras/compare/r2.12...r2.13
kb.cert.org/vuls/id/253266
nvd.nist.gov/vuln/detail/CVE-2024-3660
www.kb.cert.org/vuls/id/253266

Detect and mitigate CVE-2024-3660 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →